Major U.S. news sites including the Los Angeles Times and the Chicago Tribune are still blocking European visitors more than a month after the enforcement of the General Data Protection Regulation.

Chicago Tribune parent Tronc started blocking EU visitors after May 25, when GDPR took effect. The regulation requires businesses to seek site visitors’ consent to collect personal data from them that could be used, in the case of publishers and marketers, for ad targeting.

“We continue to identify technical compliance solutions that will provide all readers with our award-winning journalism,” a message on the L.A. Times homepage reads to visitors it detects as being from the EU.

Lee Enterprises, The Dallas Morning News and local news network Patch are also blocking EU visitors.

“Our site is unavailable to European Union visitors while we work with our partners to ensure your data is protected,” reads a message on The Dallas Morning News site.

Other sites including USA Today are showing EU visitors nontargeted ads. Meredith and The Washington Post are asking EU visitors to agree to new terms to access the site (with the Post even upselling them to an ad-free version of the site).

Entertainment news site Topix is blocking EU visitors from the news and forum parts of its site, which it judged to be especially vulnerable to GDPR, CEO Chris Tolles said. For everything else, Topix is running nontargeted ads to the EU, which makes up just a few percentage points of his traffic, he said.

“Right now, I just don’t understand what my risks are,” he said. “It just behooved me to wait till the regulators figure out what to do. Europe isn’t a big-enough market.”

Tronc expects to reopen its sites to EU traffic in the coming months, a source there said.

Given their limited EU audience, it makes sense for these publishers to be cautious, said Chris Olson, CEO of The Media Trust, which helps publishers keep track of user data that’s collected on their sites.

“They don’t want to lose their EU audiences, but they also want to avoid the risk of infringing the GDPR and paying 4 percent of their global revenue, especially in cases where EU revenue fails to justify that risk.”

Chris Pedigo, svp of government affairs at Digital Content Next, a trade association for digital publishers, said it’s still unclear which tech solutions for gathering and storing consent data are fine-proof, and for sites that don’t get much traffic from the EU, it’s not worth the hassle to evaluate all the options and risk choosing one that has weaknesses. Publishers are also waiting to see how regulators will enforce the law, and with European summer vacation season around the corner, no one expects that to start until at least September.

The fact that online privacy is gaining steam is, maybe ironically, another reason for publishers like these to take a wait-and-see approach. In addition to GDPR, there’s its companion ePrivacy Regulation, which protects the privacy of online communications; and more relevant to U.S. companies, California’s just-passed online privacy law, which could become the default for the U.S. It doesn’t make sense for publishers to get compliant with one set of rules, only to have to redo the process in a few months. This may be a case where there’s little advantage to being first.

“Attorneys are advising them: ‘You don’t want to be an outlier. You want to be right in the middle,’” Pedigo said.

As for publishers that are already GDPR-compliant, they are also talking about how to turn the privacy demand to their financial advantage, a la The Washington Post, said Brian Kane, COO of Sourcepoint, which has a consent management platform that helps publishers comply with the GDPR.

“It comes down to, every dollar counts and if there’s a way to marry GDPR with some ad monetization, some publishers are leaning into that,” he said. “Every conversation we have, it starts with consent and moves to monetization.”